Mozilla scrambles to patch Firefox for second time this week

Regression bug in 2.0.0.10 breaks some sites, extensions; update may show on Friday
- Mozilla Corp. will probably release a Firefox update tomorrow to patch a bug in the just-released 2.0.0.10 version, according to the company's bug database.

If so, it would mark the first time that Mozilla has released two versions of the open-source browser in the same week.

A bug in rendering "canvas" HTML elements worked its way into Firefox 2.0.0.10, the edition Mozilla released Monday to fix six other vulnerabilities. Canvas elements, which were first used by Apple Inc. in its Safari browser, let Web site designers dynamically render bitmap images in HTML. Firefox, Safari and Opera support Canvas natively; Microsoft Corp.'s Internet Explorer does so with a plug-in.

All editions of Firefox 2.0.0.10 -- for Windows, Mac OS X and Linux -- break pages that include the Canvas element, and cripple at least two Firefox extensions, FoxSaver and Fotofox.

Developer Kevin Han reported the regression bug late Monday, within hours of 2.0.0.10's release. By Tuesday morning, confirmations began pouring into Bugzilla, Mozilla's bug and patch database.

"I can confirm this problem," said Klaus Reimer in a message posted to Bugzilla. "Customers are complaining because their Firefox automatically updated to 2.0.0.10 and now they can no longer order photo prints in our shop. I think this is a very serious problem, and I hope it will be fixed immediately in a 2.0.0.11 update."

By midday Tuesday, developers had come up with a fix for the flaw. A day later, Nick Thomas, one of the developers working on the bug, answered questions about an update schedule. "The release of 2.0.0.11 is tentatively scheduled for Friday, Nov. 30," he said on Bugzilla. "If that comes off, it'll be the fastest turnaround between Firefox releases to date; i.e., it relies on everything in the release process going without a hitch."

In an e-mailed statement, Mike Schroepfer, vice president of engineering for Mozilla Corp., downplayed the extent of the problem. "The bug affects a specific use case of the Canvas tag, which is not yet in wide use," he said.

As for how the flaw slipped through Mozilla's testing process, Schroepfer said: "We used our standard process of releasing a beta to tens of thousands of users and had no reports of this issue prior to the full release of 2.0.0.10. Most importantly, once we became aware of the issue, we worked overtime to address it."

He did not say whether Mozilla would, in fact, deliver Firefox 2.0.0.11 on Friday.

But even if Mozilla meets the rush deadline, the snafu will leave some users very unhappy. "We develop process management Web applications on Oracle that use AJAX [and] Ruby on Rails, and we have gone out of our way to tell our customers that we 'strongly' recommend they use Firefox," said someone identified only as Jonathan on Bugzilla. "This little episode really has egg on our face.

"For a couple of days, we have had an unbearable number of support calls. I would hope this reinforces the need for someone to put in some serious effort on developing a solid and extensive suite of regression tests. This should have NEVER gotten into a public release."

Firefox 3.0 Beta 1, which launched last week, is not affected by the Canvas regression.

Google working to make Street View images anonymous

Exec says faces, license plates won't be recognizable outside U.S. -- and maybe within it

- In the face of concerns raised by privacy advocates, Google Inc. is making changes to its Google Maps Street View feature designed to protect the privacy of people whose faces or possessions can be seen in close-up views of the street-level photographs.

When Street View is rolled out in Europe, Google will alter the photos to make sure that faces and license plate numbers aren't recognizable, said Jane Horvath, the company's senior privacy counsel. She added that Google is considering taking the same steps with the U.S. version of the Street View software.

Developed for Google by Immersive Media Corp., Street View lets Google Maps users click on a city street and see a panoramic photograph of the area. The pictures are taken by special 360-degree cameras that are roof-mounted on Volkswagen Beetles, which cruise around cities, constantly snapping photographs. The photos are so clear that people on the street can often be identified.

Soon after Street View was launched in the U.S. last May, photographs appeared that showed scantily clad women and men who apparently were entering adult bookstores or strip clubs. That prompted privacy advocates to complain that the technology was invasive. Kevin Bankston, an attorney for the Electronic Frontier Foundation, was among those who complained after he identified himself in a Street View photo.

Google responded by creating a method for people to remove their photos. But Horvath acknowledged that in other countries and regions, including Canada and the European Union, the company will have to take more aggressive measures to protect personal privacy.

"When we launch our product there, we'll be under an obligation to ensure that faces are not recognizable, nor are license tags," Horvath said Thursday during a discussion forum at the Commonwealth Club in San Francisco. "As we launch those products, we will be thinking within our product teams whether this is something that we'd like to do within the U.S. also."

Street View maps currently are available for 15 U.S. cities, including San Francisco, Los Angeles, New York and Miami.

In the U.S., Google can legally publish photographs taken in public places without securing permission from people who happen to be in the shots. But that practice violates privacy laws in many other countries.

And even if it is legal, some people may be put off by having their images appear in photographs that can be viewed by anyone on the Internet, Horvath noted.

"It's sort of that 'ick' feeling that something makes you feel uncomfortable," she said. "Our products are not static, and we're always open to changing them to make sure our users feel comfortable and trust us with their information."

Horvath added that the Street View controversy "calls into question the whole idea of whether privacy is something that needs to be regulated by law, or if there's this other concept of privacy that we need to look at, which is the right to autonomy."

Vista turns 1, and businesses start to come around ... slowly

- When Microsoft Corp. released Windows Vista to businesses exactly one year ago, near-term expectations weren't high.

Experts widely predicted that Vista, even if it was bug-free and proved to be an immediate hit with consumers, would only slowly catch on with corporations.

For instance, Gartner Inc. forecast at the time that fewer than 5% of PCs worldwide would be running a business version of Vista by the end of this year.

One year later, it's unclear whether Microsoft has met even those pessimistic projections. In July, Microsoft said companies had renewed 42 million Windows licenses that made them eligible for Vista. Trouble is, Microsoft also admitted that the vast majority of those 42 million PCs were likely still on XP, though the company claims it has no accurate way of tracking this. Microsoft has not provided a more up-to-date figure in the last four months.

According to another estimate of Vista's uptake, a Forrester Research Inc. survey of 565 North American and European PC decision-makers, after six to eight months, only 2% of corporate PCs were running Vista.

By the end of this year, only 7% of respondents plan to even start deploying Vista at all, said Forrester analyst Ben Gray in that report.

"I'll be honest, we haven't moved a lot of users," said Lee Nicholls, global solutions director at Getronics NV. While the Microsoft systems integrator has the conversion of 200,000 Windows corporate users in its current pipeline, it has so far actually moved only about 14,000 Windows users to Vista, Nicholls said.

Fault enough to go around

Not every reason why companies are dragging their feet is Microsoft's fault. Planning and preparing for an operating system upgrade, especially for a large corporation with tens of thousands of PCs running thousands of different applications, can take months or years.

Other reasons, such as Vista's hefty hardware requirements, can be laid at Microsoft's feet. Deploying Vista requires companies to upgrade many PCs faster than they want.

"Bringing forward a hardware refresh [to upgrade to Vista] is not a conversation that is going to fly with many companies," Nicholls said.

Microsoft reportedly planned to spend $500 million worldwide this year to market Vista. Despite that spending, Microsoft still "didn't do such a great job" explaining "the business value" of Vista to corporations, asserted Nicholls.

That has led to the perception that "XP is good enough in most cases," Nicholls said -- a perception that he argues, citing Getronics' own projections for IT labor cost savings from Vista's improved security and manageability, is untrue. Microsoft should use similar data to take the offensive, he said.

"How many financial services CIOs just want 'good enough'?" he said. "Don't they want software that can create genuine improvement on the bottom line?"

Microsoft also invested heavily in tightening Vista's security and adding features such as BitLocker drive encryption and Group Policy, improvements the company figured would drive corporate upgrades.

That may have also been a misstep.

And while consumers are more drawn to flashy new features, companies tend to be more concerned that new software is fully baked and bug-free -- something that Microsoft has burned them in the past.

"A lot of people still have the impression that no Microsoft product is stable or complete until SP1 or SP2," said Sumeeth Evans, IT manager at Collegiate Housing Services. That's wrong, said Evans, who moved all 78 of the Indianapolis firm's employees to Vista earlier this year and said he enjoys fewer help desk calls concerning Vista than XP.

On the horizon

Microsoft shipped a release candidate for Vista SP1 earlier this month. It still plans to release the final version in the first quarter next year.

And Microsoft isn't standing still. The company is actively pushing a slew of free tools designed to help companies more easily plan for and deploy Vista.

Collegiate Housing Services used the Windows Vista Hardware Assessment tool and the Application Compatibility Toolkit 5.0 to help it upgrade to Vista, Evans said. The tools helped his IT team upgrade nearly three times the number PCs in half the man-hours, he said.

Microsoft said Windows Vista Hardware Assessment has been downloaded 329,000 times, Application Compatibility Toolkit 5.0 340,000 times and the Business Desktop Deployment 2007 kit 283,000 times.

All this to say that things should start to pick up in the coming year. By the end of 2008, one quarter of corporate PCs in North America and Europe will be running Vista, according to Forrester's Gray. Linux will make continue to make minor inroads, but Gray is unequivocal that corporations will eventually standardize upon Vista the same way they have on XP.

CNN/YouTube Republican debate fails to wow

Debate needed quicker pace, more personal questions from YouTube users, critics say
- The first CNN/YouTube debate in July, featuring Democratic presidential candidates, drew mixed reviews from academics and the blogosphere. Last night's second CNN/YouTube debate, which featured the Republican candidates, was even less successful, according to initial feedback.

The Republican debate held in Florida on Wednesday featured 34 video questions for the candidates that were submitted to YouTube Inc. Most of the questions focused on less personal topics than those lobbed at the Democrats, noted Bruce Gronbeck, director of the University of Iowa's Center for Media Studies and Political Culture.

"It wasn't nearly as interesting as the first try at the YouTube stuff," he said. "CNN took many personalized questions from the YouTube submissions for the Democratic debate -- people looking for help with individual problems susceptible to governmental interventions. The Republicans got few individualized questions, but in the main, [they got] generic, passionless inquiries about war, borders, the space program, the Bible, Roe v. Wade, farm subsidies and, of course, tax increases. Ho hum."

Overall, he added that the "circus, the spectacle of political and personal banter" overwhelmed the goal of the debate -- to allow voters themselves to play a larger role in the debate process. "Maybe politicians and the networks are not yet ready to let open-source politics hold sway even for two hours during the almost year-and-a-half this country will spend on primaries and caucuses."

Julie Barko Germany, deputy director of the Institute for Politics, Democracy and the Internet at George Washington University, noted that the Republican candidates squandered their opportunities to create YouTube-style videos to be aired during the debate and instead reverted to old-school attack advertisements.

"Everybody likes the idea of finding a way to include Americans more in the debate process," she said. "We're running a YouTube-style debate like an old-style debate. I don't just mean CNN as the gatekeepers, but giving the candidates too much time to go back and forth. People watch two-minute clips on YouTube. They don't watch very slow, long drawn-out pieces. We need something faster to keep people engaged in what is going on."

Micah Sifry, a blogger at TechPresident.com, noted that while a few questions from the debate packed an emotional punch because they obviously were personal to the voters in the video, "fewer of them seemed to hit that mark" than in the Democratic debate.

"Where were the questions on topics like the economy, jobs, health care, the fall of the dollar, trade, political reform (beyond pork), the environment or energy?" Sifry wrote. "Could CNN have thought those were 'Democratic hand grenades?' Strange, given how much time they gave to topics like immigration, guns and the Bible. When you look at the questions that were submitted to YouTube for the debate, you'll see plenty in the top 40 most viewed that touch on energy, the environment, health care and political reform. Very odd that these were not included."

Sifry also lamented about the compressed format of the debate, with all the candidates' remarks squeezed into short answers and rebuttals

"This is no way to interview the candidates for president," Sifry noted. "This is the Internet Age, folks. We don't have to put up with the constrained world of television. Enough already!"

Google expunges malware sites from search results

- Google Inc. has purged its index of the thousands of malware sites that wormed their way into results lists for hundreds of legitimate search phrases, researchers confirmed today.

"They look gone to us," said Alex Eckelberry, the CEO of Sunbelt Software Distribution Inc., the company that broke the news Monday of a massive, coordinated campaign by attackers to spread malware through search results on Google, Yahoo, Microsoft Live Search and other sites.

"Google did confirm yesterday with us that they were working the case, and they are good about nailing this stuff," Eckelberry added in an e-mail late Wednesday afternoon. Sunbelt had notified Google of its findings on Monday.

Earlier today, Sunbelt malware researcher Adam Thomas said his spot searches on Google the night before had come up sans malware URLs. "They appeared to be zapped," Thomas had said.

Ironically, Google itself refused to confirm or deny that it had cleansed its index of the more than 40,000 malware hosting sites, or even that they had existed. "Google takes the security of our users very seriously, especially when it comes to malware," a company spokeswoman said today in an e-mail. "In our search results, we try to warn users of potentially dangerous sites when we know of them. Sites that clearly exploit browser security holes to install software, such as malware, spyware, viruses, adware and Trojan horses, are in violation of the Google quality guidelines and may be removed from Google's index."

She did not, however, answer questions about how long it takes Google to purge its search index or whether it has countermeasures that are supposed to keep sites from gaming its ranking system. According to Thomas, the group who created and stocked the sites with Trojan horses, rootkits and password-stealers drove up those sites' search-result rankings by spamming blogs and site-comment sections with their links.

A Yahoo spokeswoman said her company has taken action to fend off malware. ?????????Yahoo! is very serious about protecting its users from malicious sites on the Web," she said in an e-mailed statement. "Malware is an ongoing battle for all search engines and Yahoo has processes in place to quickly remove these sites from its index.?????????

Microsoft Corp., meanwhile, would only say that it was on the case. "We are aware of the issues and are working to rectify the situation," said Justin Osmer, a senior product manager for Live Search, in an e-mail sent by the company's public relations firm.

Yahoo Inc. did not respond to a similar request for comment Wednesday.

Sunbelt first noticed the huge number of infected sites, and their appearance in results lists for a bewildering array of searches, on Sunday. Thomas explained how the attackers managed to beat the search system. "For months now, our research team has monitored a network of bots whose sole purpose is to post spam links and relevant keywords into online forms, typically comment forms and bulletin board forums," he said. "This network, combined with thousands of pages such as the two seen above, have given the attackers very good, if not top, search-engine position for various search terms." Among the hundreds of search terms he had spotted being used were "infinity" and "hospice."

"Pretty sick," Thomas said.

Users with PCs not completely up-to-date on their patches, he continued, were attacked by what Sunbelt has dubbed "Scam.Iwin," which turns the compromised computer into a pay-per-click zombie that generates revenue for the attacker. "Scam.Iwin is also used to load malware for other groups," claimed Thomas. "In this case, one of those malware groups is known to have been associated with the infamous RBN [Russian Business Network]."

The RBN, a notorious malware and hacker hosting organization, made the news this month when it pulled up stakes and shifted operations from St. Petersburg, Russia, to Shanghai. Literally within days of the move to China, however, RBN abandoned the IP blocks it had been allocated there, spurring speculation by security professionals that the network had gone underground to avoid publicity, which its criminal clients naturally shun.

Other researchers, while not downplaying the scope of the attempted attack, said that it was only its size that set this one apart.

"This is the same stuff we talk about when we talk about innocent searches, mostly anyway, and it must be working because there's a huge push at the moment," said Roger Thompson, chief technology officer at Exploit Prevention Labs Inc., in a post to his company's security blog. "Bear in mind that we see this nearly every day."